# Add the default roles dn: cn=helpdesk,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: helpdesk add:description: Helpdesk dn: cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: useradmin add:description: User Administrators dn: cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: groupadmin add:description: Group Administrators dn: cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: hostadmin add:description: Host Administrators dn: cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: hostgroupadmin add:description: Host Group Administrators dn: cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: delegationadmin add:description: Role administration dn: cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: serviceadmin add:description: Service Administrators dn: cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: automountadmin add:description: Automount Administrators dn: cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: netgroupadmin add:description: Netgroups Administrators dn: cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: dnsadmin add:description: DNS Administrators dn: cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: dnsserver add:description: DNS Servers dn: cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: certadmin add:description: Certificate Administrators dn: cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: replicaadmin add:description: Replication Administrators add:member:'cn=admins,cn=groups,cn=accounts,$SUFFIX' dn: cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: enrollhost add:description: Host Enrollment dn: cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: entitlementadmin add:description: Entitlement Administrators # Add the taskgroups referenced by the ACIs for user administration dn: cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: nsContainer add:objectClass: top add:cn: taskgroups dn: cn=addusers,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: addusers add:description: Add Users add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: change_password add:description: Change a user password add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=add_user_to_default_group,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: add_user_to_default_group add:description: Add user to default group add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removeusers,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: removeusers add:description: Remove Users add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifyusers add:description: Modify Users add:member:'cn=useradmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for user administration dn: $SUFFIX add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=taskgroups ,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || samb aNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (wri te) groupdn = "ldap:///cn=change_password,cn=taskgroups,cn=accounts,$SUFFIX ";)' add:aci: '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (wri te) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts ,$SUFFIX";)' add:aci: '(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=t askgroups,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneN umber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHT TPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX") (version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for group administration dn: cn=addgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: addgroups add:description: Add Groups add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removegroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: removegroups add:description: Remove Groups add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifygroups add:description: Modify Groups add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifygroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifygroupmembership add:description: Modify Group membership add:member:'cn=groupadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for group administration dn: $SUFFIX add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Groups";allow (add) groupdn = "ldap:///cn=addgroups,cn=taskgroups ,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Modify group membership";allow (wri te) groupdn = "ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts ,$SUFFIX";)' add:aci: '(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=t askgroups,cn=accounts,$SUFFIX";)' # we need objectclass and gidnumber in modify so a non-posix group can be # promoted add:aci: '(targetattr = "cn || description || gidnumber || objectclass || mepManagedBy")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX") (version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for host administration dn: cn=addhosts,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: addhosts add:description: Add Hosts add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removehosts,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: removehosts add:description: Remove Hosts add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyhosts,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifyhosts add:description: Modify Hosts add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for host administration dn: $SUFFIX add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hosts";allow (add) groupdn = "ldap:///cn=addhosts,cn=taskgroups ,cn=accounts,$SUFFIX";)' add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn= taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion") (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts, cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for hostgroup administration dn: cn=addhostgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: addhostgroups add:description: Add Host Groups add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: removehostgroups add:description: Remove Host Groups add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyhostgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifyhostgroups add:description: Modify Host Groups add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifyhostgroupmembership add:description: Modify Host Group membership add:member:'cn=hostgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for hostgroup administration dn: $SUFFIX add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Hostgroups";allow (add) groupdn = "ldap:///cn=addhostgroups,cn= taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hostgroups";allow (delete) groupdn = "ldap:///cn= removehostgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn= hostgroups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hostgroups";allow (write) groupdn = "ldap:///cn=modifyhostgroups,cn=taskgroups, cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Modify host group membership";allow (wri te) groupdn = "ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts ,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for service administration dn: cn=addservices,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: addservices add:description: Add Services add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: removeservices add:description: Remove Services add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyservices,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifyservices add:description: Modify Services add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for service administration dn: $SUFFIX add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, $SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn =addservices,cn=taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts, $SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap :///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "userCertificate")(target = "ldap:///krbprincipal name=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services" ;allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=acco unts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for delegation administration # This just lets one manage taskgroup membership and create and delete roles dn: cn=addroles,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: addhrole add:description: Add Roles add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removeroles,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: removeroles add:description: Remove Roles add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifyroles add:description: Modify Roles add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifyrolegroupmembership add:description: Modify Role Group membership add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifytaskgroupmembership add:description: Modify Task Group membership add:member:'cn=delegationadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for delegation administration dn: $SUFFIX add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version 3.0;acl "Add Roles";allow (add) groupdn = "ldap:///cn=addroles,cn=taskgroups ,cn=accounts,$SUFFIX";)' add:aci: '(target = "ldap:///cn=*,cn=rolegroups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Roles";allow (delete) groupdn = "ldap:///cn=removeroles,cn= taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=rolegro ups,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Roles";allow (write) grou pdn = "ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=rolegroups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Modify role group membership";allow (wri te) groupdn = "ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts ,$SUFFIX";)' add:aci: '(targetattr = "member")(target = "ldap:///cn=*,cn=taskgroups,cn=accoun ts,$SUFFIX")(version 3.0;acl "Modify task group membership";allow (wri te) groupdn = "ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts ,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for automount administration dn: cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: addautomount add:description: Add Automount maps/keys add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: removeautomount add:description: Remove Automount maps/keys add:member:'cn=automountadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for service administration dn: $SUFFIX add:aci: '(target = "ldap:///automountmapname=*,cn=automount, $SUFFIX")(version 3.0;acl "Add automount maps";allow (add) groupdn = "ldap :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(target = "ldap:///automountmapname=*,cn=automount, $SUFFIX")(version 3.0;acl "Remove automount maps";allow (delete) groupdn = "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount, $SUFFIX")(version 3.0;acl "Add automount keys";allow (add) groupdn = "ldap :///cn=addautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(target = "ldap:///automountkey=*,automountmapname=*,cn=automount, $SUFFIX")(version 3.0;acl "Remove automount keys";allow (delete) groupdn = "ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,$SUFFIX";)' # Add the taskgroups referenced by the ACIs for netgroup administration dn: cn=addnetgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: addnetgroups add:description: Add netgroups add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: removenetgroups add:description: Remove netgroups add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifynetgroups add:description: Modify netgroups add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifynetgroupmembership add:description: Modify netgroup membership add:member:'cn=netgroupadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACIs that grant these permissions for netgroup administration dn: $SUFFIX add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Add netgroups";allow (add) groupdn = "ldap:///cn=addnetgroups,cn= taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Remove netgroups";allow (delete) groupdn = "ldap:///cn= removenetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "description")(target = "ldap:///ipauniqueid=*,cn=ng, cn=alt,$SUFFIX")(version 3.0; acl "Modify netgroups";allow (write) groupdn = "ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,$SUFFIX";)' add:aci: '(targetattr = "memberhost || externalhost || memberuser || member") (target = "ldap:///ipauniqueid=*,cn=ng,cn=alt,$SUFFIX")(version 3.0;acl "Mo dify netgroup membership";allow (write) groupdn = "ldap:///cn=modifynetgrou pmembership,cn=taskgroups,cn=accounts,$SUFFIX";)' # Taskgroup for retrieving host keytabs dn: cn=manage_host_keytab,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: manage_host_keytab add:description: Manage host keytab add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACI needed to do host keytab admin dn: $SUFFIX add:aci: '(targetattr = "krbPrincipalKey || krbLastPwdChange") (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") (version 3.0;acl "Manage host keytab"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=taskgroups, cn=accounts,$SUFFIX";)' # Taskgroup for enrolling hosts. Note that this also requires # manage_host_keytab access dn: cn=enroll_host,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: enroll_host add:description: Enroll a host add:member:'cn=hostadmin,cn=rolegroups,cn=accounts,$SUFFIX' add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX' # Add the ACI needed to do host enrollment. When this occurs we # set the krbPrincipalName, add krbPrincipalAux to objectClass and # set enrolledBy to whoever ran join. dn: $SUFFIX add:aci: '(targetattr = "enrolledBy || objectClass") (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") (version 3.0;acl "Enroll a host"; allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups, cn=accounts,$SUFFIX";)' # Taskgroup for updating the DNS entries dn: cn=update_dns,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: update_sn add:description: Updates DNS add:member:'cn=dnsadmin,cn=rolegroups,cn=accounts,$SUFFIX' add:member:'cn=dnsserver,cn=rolegroups,cn=accounts,$SUFFIX' # Create virtual operations entry. This is used to control access to # operations that don't rely on LDAP directly. dn: cn=virtual operations,$SUFFIX add:objectClass: top add:objectClass: nsContainer add:cn: virtual operations # Retrieve Certificate virtual op dn: cn=retrieve certificate,cn=virtual operations,$SUFFIX add:objectClass: top add:objectClass: nsContainer add:cn: retrieve certificate # Taskgroup for retrieving certs dn: cn=retrieve_certs,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: retrieve_certs add:description: Retrieve SSL Certificates add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: $SUFFIX add: aci: '(targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations, $SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=taskgroups, cn=accounts,$SUFFIX";)' # Request Certificate virtual op dn: cn=request certificate,cn=virtual operations,$SUFFIX add:objectClass: top add:objectClass: nsContainer add:cn: request certificate # Taskgroup for requesting certs dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: request_certs add:description: Request a SSL Certificate add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: $SUFFIX add: aci: '(targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations, $SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups, cn=accounts,$SUFFIX";)' # Request Certificate from different host virtual op dn: cn=request certificate different host,cn=virtual operations,$SUFFIX add:objectClass: top add:objectClass: nsContainer add:cn: request certificate different host # Taskgroup for requesting certs from a different host dn: cn=request_cert_different_host,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: request_cert_different_host add:description: Request a SSL Certificate from a different host add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: $SUFFIX add: aci: '(targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations, $SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert _different_host,cn=taskgroups,cn=accounts,$SUFFIX";)' # Certificate Status virtual op dn: cn=certificate status,cn=virtual operations,$SUFFIX add:objectClass: top add:objectClass: nsContainer add:cn: certificate status # Taskgroup for requesting certs dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: certificate_status add:description: Status of cert request add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: $SUFFIX add: aci: '(targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations, $SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status, cn=taskgroups,cn=accounts,$SUFFIX";)' # Revoke Certificate virtual op dn: cn=revoke certificate,cn=virtual operations,$SUFFIX add:objectClass: top add:objectClass: nsContainer add:cn: revoke certificate # Taskgroup for requesting certs dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: revoke_certificate add:description: Revoke Certificate add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: $SUFFIX add: aci: '(targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations, $SUFFIX" )(version 3.0 ; acl "Revoke Certificate" ; allow (write) groupdn = "ldap:///cn=revoke_certificate, cn=taskgroups,cn=accounts,$SUFFIX";)' # Revoke Certificate virtual op dn: cn=revoke certificate,cn=virtual operations,$SUFFIX add:objectClass: top add:objectClass: nsContainer add:cn: revoke certificate # Taskgroup for requesting certs dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: revoke_certificate add:description: Revoke Certificate add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: $SUFFIX add: aci: '(targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations, $SUFFIX" )(version 3.0 ; acl "Revoke Certificate" ; allow (write) groupdn = "ldap:///cn=revoke_certificate, cn=taskgroups,cn=accounts,$SUFFIX";)' # Certificate Remove Hold virtual op dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX add:objectClass: top add:objectClass: nsContainer add:cn: certificate remove hold # Taskgroup for requesting certs dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: certificate_remove_hold add:description: Certificate Remove Hold add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: $SUFFIX add: aci: '(targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations, $SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold" ; allow (write) groupdn = "ldap:///cn=certificate_remove_hold, cn=taskgroups,cn=accounts,$SUFFIX";)' # Taskgroup for managing replicas dn: cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: managereplica add:description: Manage Replication Agreements add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Taskgroup for deleting replicas dn: cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: deletereplica add:description: Delete Replication Agreements add:member:'cn=replicaadmin,cn=rolegroups,cn=accounts,$SUFFIX' # Add acis allowing admins to read/write/delete replicas dn: cn="$SUFFIX",cn=mapping tree,cn=config add: aci: '(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica) (objectclass=nsds5replicationagreement)(objectclass= nsDSWindowsReplicationAgreement))")(version 3.0; acl "Manage replication agreements"; allow (read, write, search) groupdn = "ldap:///cn=managereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' dn: cn="$SUFFIX",cn=mapping tree,cn=config add: aci: '(targetattr=*)(targetfilter="(|(objectclass= nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement ))")(version 3.0;acl "Delete replication agreements";allow (delete) groupdn = "ldap:///cn=deletereplica,cn=taskgroups,cn=accounts,$SUFFIX";)' # Entitlement management dn: cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: addentitlements add:description: Add Entitlements add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: removeentitlements add:description: Remove Entitlements add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX add:objectClass: top add:objectClass: nestedgroup add:cn: modifyentitlements add:description: Modify Entitlements add:member:'cn=entitlementadmin,cn=rolegroups,cn=accounts,$SUFFIX' dn: $SUFFIX add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Add entitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' dn: $SUFFIX add: aci: '(targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)' dn: $SUFFIX add: aci: '(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Remove entitlement entries";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,$SUFFIX";)'